* [PATCH net] tls: fix skb_to_sgvec returning unhandled error.
@ 2018-07-02 17:25 Doron Roberts-Kedes
0 siblings, 0 replies; only message in thread
From: Doron Roberts-Kedes @ 2018-07-02 17:25 UTC (permalink / raw)
To: David S . Miller; +Cc: Dave Watson, netdev, Doron Roberts-Kedes
The current code does not inspect the return value of skb_to_sgvec. This
can cause a nullptr kernel panic when the malformed sgvec is passed into
the crypto request.
Checking the return value of skb_to_sgvec and skipping decryption if it
is negative fixes this problem.
Fixes: c46234ebb4d1 ("tls: RX path for ktls")
Acked-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
---
net/tls/tls_sw.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 173d8b89072d..b6e118499083 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -701,6 +701,10 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb,
nsg = skb_to_sgvec(skb, &sgin[1],
rxm->offset + tls_ctx->rx.prepend_size,
rxm->full_len - tls_ctx->rx.prepend_size);
+ if (nsg < 0) {
+ ret = nsg;
+ goto out;
+ }
tls_make_aad(ctx->rx_aad_ciphertext,
rxm->full_len - tls_ctx->rx.overhead_size,
@@ -712,6 +716,7 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb,
rxm->full_len - tls_ctx->rx.overhead_size,
skb, sk->sk_allocation);
+out:
if (sgin != &sgin_arr[0])
kfree(sgin);
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-07-02 17:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-02 17:25 [PATCH net] tls: fix skb_to_sgvec returning unhandled error Doron Roberts-Kedes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox